Re: phew! — It depends.

1. It depends on where you are on this planet, different rules, different places.

2. Don't create an account on a machine that already has an account or one where you have tried and failed previously.

3. If Google is already chasing you for a phone number, use another machine and IP address.

4. It's often best to use a new/clean machine every time.

5. If you are at the point that Google wants a phone number do not attempt to use the same email address that you attempted to use earlier, always do things anew.

6. After getting the phone number problem, also I found leaving it for a few days then using a colleague's machine (whose ISP and IP are different) together with a completely different/new username then it worked OK.

Re: phew!

Re: phew!

I was on a school connection (so thousands of Google users, and all kinds) on the guest wifi (i.e. about as anonymous as you can get and the equivalent to doing it at a library or a cyber-cafe).

You DON'T need a mobile to sign up for a Google account. It might pressure you for one, but it's not required.

And if you live in a country where Google require it, you have no Internet freedom anyway because Google only do it where they are made to do it.

But the premise that you need to give a phone number to get a Google account is nonsense - and you could use a proxy or public wifi to sign up for one in seconds. In fact, if that proxy or wifi is tied to ten thousand other Google accounts, it actually HELPS your anonymity if you wish to retain that, surely?

Re: phew!

"You DON'T need a mobile to sign up for a Google account. It might pressure you for one, but it's not required."

Quite - and whenever I've logged in on a computer (not often, but often enough for this to be noticeable) if I've seen the prompt to add my phone number, I've always skipped it. However, somewhere down the line I stopped seeing that prompt my number - and I also noticed receiving text messages from Google reporting log-ins on a "new" device whenever I logged in on my computer (it's always "new" when cookies don't survive beyond the session).

Re: Two fucking years, Yahoo!

I agree but then I thought about it from another perspective.

If you were hacked for data how would you know?

A. It starts appearing on the net.

B. You discover the breach yourself.

If A didn't happen and if it did we would have found out about this a lot sooner then it's either people that want to keep it a secret and use it for themselves which means it could in fact be state sponsored.

If B didn't happen straight away how is it that 2 years later they find out? That doesn't make any sense, why would you audit 2 year old logs?

I always thought...

why would people sue

This is an email account, not like they swiped credit cards or social security numbers or something like that(I would expect Yahoo would not need that information for signing up for an account anyway).

Re: Have account from 2004.. or so...

I think they did. I have a Yahoo account for posting to a mailing list, and I changed passwords recently. There was nothing in the emails I got, but I had to change when I logged in recently to post something. There must be a lot of dormant accounts, and they must know it, but that huge total looks impressive.

I know other companies which pull that trick of never deleting an account, possibly to mask a falling customer base.

Re: Have account from 2004.. or so...

Apparently not. According to the "activity log" or whatever they call it my password was last changed over two years ago. Just changed it again, and I guess there was a point to not associating any personal info whatsoever with that account after all...

It is what it sounds like

Re: It is what it sounds like

The part that’s missing from their FAQ is when (and how) it was discovered. Perhaps this is how:

"Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, …"

...have launched programs to detect and notify users when a company strongly suspects that...

Sounds like a natural-language-processing program that listens in to the daily boss-level meeting and tries to detect "strong suspicion". Once matching criterion 0.95 is reached, it automatically fires off mails!

Whoever said they were yahoo webmail accounts? Lots of people have yahoo accounts for yahoo messenger, yahoo groups and many other things. Is it perhaps that list of users accounts that was stolen? Yahoo accounts does not equal yahoo webmail.

To the best of my knowledge, a Yahoo account is all of the above anyway.

I know my old Geocities account that became a Yahoo account also logs me in over Yahoo Messenger (who uses that nowadays?!), Yahoo webmail, Yahoo groups, etc.

Yahoo accounts are therefore likely centralised and if you have the details of one, you have them all (I doubt there are 500m Messenger usages, or 500m Groups users, or 500m old Geocities users!). I haven't logged in via Yahoo Mail for several years (2009 by the inbox I just looked at), so it's stupid if my credentials are lying around only on Yahoo Mail, and incredibly unlikely that only a single Yahoo service was hacked.

It sounds like a central Yahoo database. But, nowadays, nobody uses any of that other junk and only Yahoo Mail is likely to be heard of, which is probably why the article says that.

The penny now drops as to why, once in a blue moon, I get an occasional malware email that purports to come from my brother's ex. It doesn't come from her old Sky email address in full - but the left hand side of the address is hers. It's probably not an uncommon name, but when she signed up with Sky the person at the other end cocked up and spelt her name incorrectly - and that appears in the left hand side of these emails.

A bit elitist aren't you El Reg?

Just because a group of tech-savvy hacks in a developed country haven't used their Yahoo accounts for over a year doesn't mean that there aren't a lot of people using this service regularly. I have many African contacts for whom a Yahoo account (often french) is the only way to reliably contact them. These are often senior academics and government workers whose "work" email very often doesn't (work, that is).

There is more than half a world outside the US and western Europe that relies on the kind of technology and services you make fun of (that's why there is still a market in PCs despite their demise being regularly forecast in these pages). Whether this information breach is going to affect people significantly is hard to say (it was two years ago, after all), but it will concern a lot of real people who use their Yahoo accounts every day.

Re: A bit elitist aren't you El Reg?

I use Yahoo. It supports IMAP so my phone/tablet can pick it up using a "real" mail program and not whatever GMail thinks it is. It is an address I can give out, without worrying too much if people are going to do idiotic things like group mail with my address (and all the others) in the To line.

I have a private email. Maybe ten people know the address. Accordingly, their messages to me get read quickly as I look there first/most often.

There is a point to having a third party deal with a mail service so people you don't necessarily want to hear from can attempt to contact you...

By the way, after this disclosure, what's Yahoo! going to be going for now? I'll put my offer on the table: a half-eaten pack of wasabi flavoured crisps. If you sell it to me quickly, I'll throw in some stale Lindt chocolates.

Re: A bit elitist aren't you El Reg?

Re: A bit elitist aren't you El Reg?

I also use Yahool with POP access, it is OK for spammy stuff but it suffers a lot more spam than gmail seems to with a significant upsurge in the last month or so. Maybe this explains a bit?

No phone number with mine, but every (rare) time I use the web login it pesters for one. However if signing up now they demand on.

Gmail didn’t demand one at sign-up but the fskers blocked POP access when I went abroad for a trip and pestered for a phone number to unlock it, which it was simply not worth giving. Returned to operating again when back home.

Re: A bit elitist aren't you El Reg?

Re: A bit elitist aren't you El Reg?

Not sure what the beef is with spam (cue comments about pork). 99% of spam goes straight to the spam folder, leaving <10 messages a month in the inbox. I've been using Y! webmail for years, with Ublock Origin and Yahoo Mail Hide Ad Panel plugin, and it works great for me. I considering switching around the time that Marissa's minions fucked around with it for a few months, but they have left it alone since then.

I've looked at other webmail offerings (don't want POP3 or IMAP) and I haven't seen anything better so far. YMMV, of course.

Re: A bit elitist aren't you El Reg?

"Gmail has full imap support too."

Yes, and my "me" email address is a Gmail one; there's not much point in trying to hide from an online store you just bought something from who they need to ship it to. My Yahoo address is my "not me" email, for things that have no need or no business having any idea who I really am. Now, this may sound paranoid to you, but I don't find having both those accounts with a single provider such a great idea - hence Yahoo, the only _other_ free email provider I can still access via POP3 or IMAP.

What is this I don't even

Hackers strongly believed to be state-sponsored

What does that even mean!

I strongly believe Hillary will take the mic soon, having strongly detected an unholy alliance of Pepe the Sadfrog and the ever elusive all-powerful P.U.T.I.N. organization to ravage the purple yodeling cowboy, a strong symbol of Yankee Americanism, so as to have his star-spangled arse transformed into Cordon Bleu.

This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database this summer.

Re: What is this I don't even

"email all those thought to be affected"

I won't be getting that e-mail. I was just wondering if I should pull Yahoo from my mail server's blacklist because the spam deluge had settled down to a tiny trickle. It looks like now isn't a good time.

An observation - it is possible the passwords have been cracked

Last Autumn I had the unpleasant experience of having to tell my boss to disregard an email from me as it contains a virus or some sort and was not sent by me.

It was, however, marked as coming from me, and sent to a large number of people. After scouring my machine to try to track down the addresses present in the mail (it was an odd assortment, mostly people I know but it wasn't any addressbook I could lay my hands upon). The more I puzzled over this, the more it looked like it was basically listing the history of messages sent from my Yahoo! account. I was aware of this as I send myself messages when testing stuff like the phone/tablet settings are correct.

How would this information be available if the account had not been compromised? That's a question we ought to be asking here. So either Yahoo! has yet another leak, or the passwords are being cracked. I don't know why they didn't hit the addressbook. Too obvious, maybe? It's rather clever to target those addresses a person has actually sent messages to.

At any rate - perhaps their entire client database got lifted and they took two years to notice? Nice work. {slow handclap}

Re: An observation - it is possible the passwords have been cracked

Most websites handle websites wrong. Unless they are using a correct password has with a random per record salt, they can be cracked. If they are using any type of encryption or an unsalted hash, they might as well be plaintext.

So if a website you use is breached, consider everything (passwords, email, security questions, etc) you used there compromised.